J.P. Morgan Chase probing possible data breach

Financial services firm J.P. Morgan Chase is investigating claims by a Washington D.C.-based workers union that it dumped documents containing personal financial data belonging to its customers in garbage bags outside five branch offices in New York.

Separately, it is also sending out letters to tens of thousands of Chicago-area customers and some employees about the potential compromise of their account information after a tape containing the data was reported missing.

The Service Employees International Union (SEIU), an organization claiming over 1.8 million members countrywide, has posted a video on YouTube that supposedly shows documents containing account data -- including full customer names, addresses and Social Security numbers -- being discovered in trash bags outside the bank branches in and around New York city.

Among the documents the video purports to show being recovered from the garbage bags are a loan application with the borrower's name, address and Social Security number, a checking account profile with similar details, a partially ripped account summary with personal data and a business credit application. The video ends with a message urging viewers to call Tom Kelly, the bank's head of media relations for Retail Financial Services and the U.S. Region.

JP Morgan and SEIU are currently locked in a labor dispute involving the hiring of security guards.

Kelly said that Chase is investigating the claims made by the SEIU in the YouTube video. According to Kelly, the standard procedure for disposing of financial documents at Chase branch locations is to put them into a large padlocked bin with an opening on top for inserting the documents. The papers are then later recovered from the bins and shredded. He added that the bins are not placed outside the facility.

"We don't know what happened here, we are trying to find out," he said. "We had a conference call with all of our branch managers and reiterated what our policies and procedures are" for document disposal.

The bank has also contacted SEIU's attorney and asked the group to share the customer information it claims to have recovered from the branch locations, Kelly said. "If those customers are at risk, we want to contact them," he said, adding that so far the bank has not heard back from the SEIU. "It is not clear that customer privacy was their first priority in this."

A spokeswoman from the SEIU did not immediately respond to a request for comment.

Meanwhile, in a separate incident the bank two weeks ago started alerting some 47,000 customers and employees in the Chicago area about the potential compromise of their personal data after a disk containing the data was reported missing late last year.

The tape contained data from J.P. Morgan's private-client services business, which provides financial services to clients with a net worth in excess of $1 million. According to Kelly, the tape was delivered to a secure off-site facility for storage but went missing after that. There is no evidence so far that the data has been misused, he said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.